Version 35 (modified by lnl, 2 years ago) (diff)


A Usability Evaluation of Tor Launcher

This project evaluates how easy it is for a user to connect to Tor with qualitative (behavioral and attitudinal) methods, makes design changes according to Tor-specific considerations, and verifies that the changes helped with quantitative (measurement-oriented) methods.

Users take more than 10 minutes to connect to Tor if the public relays are censored and 50% of the users cannot connect to Tor if the interface’s hardcoded bridges are censored. The suggested design changes saves users a lot of time--over 20 minutes if they are in censored environments that censor hardcoded bridges.

Designing changes was especially challenging because of atypical, Tor-specific design considerations. You might think that it would be easiest for the user if the process of setting up the connection to Tor was completely automated, and you're right. But it doesn't account for the fact automating the process can put some users at risk or that the relays that work most reliably are magnitudes more expensive and limited in capacity (to name a few reasons). Anyone interested in doing UX work for Tor would especially benefit from reading about these considerations.


  • Linda Lee (@linda): user experience researcher
  • David Fifield (@dcf): computer security researcher
  • Nathan Malkin: user experience researcher
  • Ganesh Iyer: user interface designer
  • Serge Egelman: project adviser
  • David Wagner: project adviser


  • Oct - Dec 2015: user research
  • Jan - Dec 2016: interface redesigns, experiments, paper writing
  • Jan - Mar 2017: paper acceptance, paper polishing
  • Jul 2017: paper presentation at PETS


  • find out why and where users struggle connecting to Tor
  • make changes to the Tor Launcher interface to address those problems
  • measure the impact of those changes to evaluate if we should implement the changes

User pain points

Blanket user targeting

high risk, low risk, know, dont know, anon, censorship--all do the same thing.

Missing information

not all transports are created equal.

Nonexistent mental model

tor-specific concepts, complicated, internet isn't even clear to them

Design changes and results

Proposed UI changes

Resulting Improvements

Future UI changes

Design considerations

User Consent

Decentralized design

Financial constraints

Network eavesdroppers

Third-party knockoffs


Scope and context


Technical background

Funding and collaboration

This work was Linda's master's thesis while she was getting her master's degree in computer science at UC Berkeley. This work was funded by the National Science Foundation (only because she was an NSF fellow) and Intel (because her academic advisers were funded by Intel). Neither funding source requested criteria or changes to this research, but did make sure that Linda had money to work on this. This work was done in collaboration with SCRUB (secure computing research for users' benefit) Laboratory and BLUES (Berkeley laboratory for usable and experimental security) Laboratory, because that's where she worked while studying at Berkeley. Neither research institution requested criteria or changes to this research, but supported this research with its testing resources (computers, participants, etc).

Attachments (7)

Download all attachments as: .zip